The Stable channel should be used by production clusters. Versions of CoreOS are battle-tested within the Beta and Alpha channels before being promoted.
The Beta channel consists of promoted Alpha releases. Mix a few beta machines into your production clusters to catch any bugs specific to your hardware or configuration.
CoreOS releases progress through each channel from Alpha → Beta → Stable. You can think of each release on a lower channel as a release-candidate for the next channel. Once a release is considered bug-free, it is promoted bit-for-bit to the next channel.
If you're deploying a new machine, it is recommended to deploy a version attached to a channel instead of the highest version number available. Documentation for supported platforms will already be up to date with this information. Machines will continue to track the channel they were originally booted with for subsequent updates unless configured otherwise.
Tagged releases are builds of CoreOS that pass automated testing. This information is automatically gathered from GitHub.
CoreOS version numbers are determined by the number of days since the CoreOS epoch, July 1, 2013. Multiple builds occurring on the same day follow semantic versioning.
Feed (json)Security Fixes:
Bug Fixes:
sssd.service (#1604)Changes:
Updates:
Changes:
Security Fixes:
Bug Fixes:
C.UTF-8 locale (#112)Changes:
/usr mount.CONFIG_MLX5_CORE_EN and CONFIG_MLX5_CORE_EN_DCB)CONFIG_MEGARAID_NEWGEN)CONFIG_BPF_SYSCALL, CONFIG_KPROBES, CONFIG_OPTPROBES, CONFIG_KPROBES_ON_FTRACE, CONFIG_KRETPROBES, CONFIG_KPROBE_EVENT, and CONFIG_BPF_EVENTS)kubelet-wrapper script has been updated, changing a few variable names
KUBELET_VERSION has been deprecated in favor of KUBELET_IMAGE_TAGKUBELET_ACI has been deprecated in favor of KUBELET_IMAGE_URLRKT_OPTS has been deprecated in favor of RKT_RUN_ARGSetcd-wrapper script has been updated along with the addition of etcd-member.serviceflannel-wrapper script has been introduced and flanneld.service updated to use itcontainerd.serviceUpdates:
Security Fixes:
Security Fixes:
Security Fixes:
Bug Fixes:
Bug Fixes:
Changes:
/usr mount.Updates:
Bug Fixes:
Updates:
Bug Fixes:
Bug Fixes:
ip= kernel command line options (#981)Updates:
Updates:
Updates:
Security Updates:
Bug Fixes:
cgpt resize (#1527)Updates:
Bug Fixes:
Changes:
Updates:
Bug Fixes:
cgpt repair operationsfile_remove_privs() on overlayfsgptprio command failsChanges:
/dev/disk/by-id links for GCE ephemeral disks (#1465)toolbox in the TOOLBOX_BIND environment variableUpdates:
Bug Fixes:
Security Updates:
Security Updates:
Security:
auth required pam_wheel.so use_uid directly under auth sufficient pam_rootok.so.ioctl() and getattr() on pipefs permissionsBug Fixes:
coreos.autologin is used, don't check password when entering the emergency shell (#1433)/etc/shells (#1474)Changes:
Updates:
Security Updates:
Bug Fixes:
Bug Fixes:
Security Updates:
Bug Fixes:
Changes:
Additions:
Updates:
Security Updates:
Bug Fixes:
Changes:
/dev/kvmUpdates:
Bug Fixes:
Changes:
/dev/kvmUpdates:
Bug Fixes:
Changes:
TCM_IBLOCK and TCM_USER2 in Linux/dev/kvmAdditions:
Updates:
Updates:
Updates:
Updates:
Changes:
Bug Fixes:
Updates:
Changes:
/etc/hosts with an entry for localhost when the file is absentUpdates:
Changes:
Changes:
Fixes:
Changes:
coreos-install
Security Fixes:
operator userChanges:
rkt-admin group which has access to /etc/rktUpdates:
Changes:
512 back to unlimited, restoring the behavior of previous releases. A custom limit may be specified via TasksMax individual units or DefaultTasksMax in /etc/systemd/system.conf. #1281stage1-fly.aci in the kubelet-wrapper script. #1282stage1-coreos.aci. #1283Updates:
Changes:
Security Updates:
Security Updates:
Security Updates:
Security Updates:
Fixes:
Changes:
TaskMax limit for DockerUpdates:
Changes:
-Z) for coreutils. #1059Fixes:
Changes:
Updates:
Fixes:
Fixes:
Updates:
Changes:
Updates:
Changes:
Changes:
Security Updates:
Fixes:
Updates:
Changes:
fleet user instead of root.Security Updates:
Changes:
/lib/modules/$(uname -r)/build. #1082Updates:
Security Updates:
Updates:
Changes:
Security Updates:
Fixes:
/usr is changed, not only when it is newer. This will properly trigger user and group creation. (#1137)Updates:
Changes:
Fixes:
Fixes:
DOCKER_CGROUPS environment variable within docker.service. This can be overridden or removed via a systemd unit drop-in.Changes:
Fixes:
Fixes:
Fixes:
Changes:
Updates:
Fixes:
Additions:
openstack_mini which is identical to openstack but with a smaller root filesystem to offer a little more flexibility in how the disk image is used.Fixes:
--stage1-from-dir option works correctly rkt #2160Updates:
Fixes:
[Install] section to flanneld's systemd unit. #1102coreos-install.Updates:
Fixes:
Fixes:
Fixes:
Changes:
Disabled LLMNR in systemd-networkd. To re-enable it, you must override the configuration snippet:
mkdir -p /etc/systemd/resolved.conf.d
ln -s /dev/null /etc/systemd/resolved.conf.d/10-disable-llmnr.conf
Allow override flannel docker image via an environment variable #1079
Updates:
Fixes:
Changes:
Fixes:
Fixes:
Fixes:
Fixes:
Changes:
Fixes:
Fixes:
Fixes:
Security Fixes:
Updates:
Changes:
Updates:
Fixes:
Updates:
Fixes:
Security Fixes:
Bugs Fixed:
machinectl login from functioning (https://github.com/coreos/bugs/issues/1002)shutdown behavior so that it cleanly terminates SSH connections (https://github.com/coreos/bugs/issues/1009)systemd-nspawn to crash in certain situations (https://github.com/coreos/bugs/issues/1010)Changes:
Security Fixes:
Bug Fixes:
machinectl login from functioning (https://github.com/coreos/bugs/issues/1002)shutdown behavior so that it cleanly terminates SSH connections (https://github.com/coreos/bugs/issues/1009)systemd-nspawn to crash in certain situations (https://github.com/coreos/bugs/issues/1010)Bug Fixes:
Changes:
Changes:
Changes:
Bug Fixes:
Updates:
Bug Fixes:
Changes:
Kernel Changes:
Program Updates:
Library updates:
Updates:
Bug Fixes:
Bug Fixes:
Changes:
/usr/share/oem/oem-release has been replaced with the coreos.oem.id kernel parameter
coreos.oem.id will need to be set to the value of OEM_ID, found in /usr/share/oem/oem-release. This can be done by adding set oem_id="<OEM_ID>" to /usr/share/oem/grub.cfg.Program Updates:
Bug Fixes:
Changes:
/usr/share/oem/oem-release has been replaced with the coreos.oem.id kernel parameter
coreos.oem.id will need to be set to the value of OEM_ID, found in /usr/share/oem/oem-release. This can be done by adding set oem_id="<OEM_ID>" to /usr/share/oem/grub.cfg.Program Updates:
Library updates:
Changes:
Bug Fixes:
coreos.autologin is obeyed even if filesystem root is read-onlyChanges:
Security Fixes:
Changes:
$DOCKER_OPTS from the environment like docker.service does. coreos-overlay #1570Updates:
Fixes:
Changes:
Updates:
Bug Fixes:
Changes:
Changes:
Bug Fixes:
Changes:
Bug Fixes:
Additions:
Updates:
Bug fixes:
Updates:
Updates:
Updates:
Bug fixes:
/etc is initialized correctly. Fixes issues caused by SELinux being enabled but uninitialized in systems that upgraded to 779.0.0. #447selinuxenabled command to work around issue with Ansible. #449Updates:
Changes:
Changes:
Fixes:
Changes:
Fixes:
Changes:
Additions:
Fixes:
Changes:
[Install] section to etcd2 and fleet service units/etc/audit/rules.d. Note that auditd is not included, journald is responsible for logging events instead although it is a best effort mechanism. Unlike with auditd based systems the kernel will not panic if journald fails to record an event for some reason.Additions:
Security Fixes:
Fixes:
Changes:
Fixes:
Changes:
Additions:
Fixes:
Changes:
Additions:
Security Fixes:
Security Fixes:
Security Fixes:
Updates:
Additions/Changes:
/var/log/btmp and /var/log/wtmpselinux=1 to the kernel to enable but this is of limited use, no SELinux user space tools or policies are included yet.systemd-nspawn. This doesn't yet work out of the box, networkd configuration files need to be updated so docker's configuration doesn't conflict with nspawn's.bond interfaces.ixgbevf network devices for Amazon EC2 HVM instances that support it. Amazon brands this as Enhanced Networking. As part of this change we disabled the Predictable Network Interface Names scheme on EC2 to ensure network interfaces remain named eth0, eth1, etc. regardless of whether the ixgbevf or Xen driver is in use. This may impact users who enabled this feature themselves on previous versions which would have named the device ens3 instead of eth0.Updates:
--insecure-registry=0.0.0.0/0 flag from docker service. If you access registries without HTTPS you must set --insecure-registry= yourself.-b base URL option in coreos-installearly-docker.service, broken since 547.0.0. Required by flannel.--insecure-registry=0.0.0.0/0 to docker by default, previously was only committed to the 494.x.x branch by mistake. See https://coreos.com/blog/docker-1-3-2-stable-channel/ for details.